Skip to content

feat: enhance domain compromise inference from ares reports#205

Merged
l50 merged 1 commit into
mainfrom
fix/scoreboard
May 15, 2026
Merged

feat: enhance domain compromise inference from ares reports#205
l50 merged 1 commit into
mainfrom
fix/scoreboard

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented May 15, 2026

Key Changes:

  • Improved domain ownership detection by incorporating explicit domain admin
    signals from Ares reports, not just krbtgt extraction
  • Added support for tracking and crediting admin user accounts responsible for
    domain compromise
  • Refined inference logic to verify domains and DC hosts based on new domain
    admin signals, increasing accuracy of scoreboard results

Added:

  • Extraction and propagation of admin_users from Ares domain_compromise[]
    metadata, including new field in struct and jq filter
  • domainAdminEvidence function to synthesize evidence details from admin user
    accounts
  • New test coverage for domain compromise cases where ownership is established
    via domain admin without golden ticket or krbtgt extraction

Changed:

  • Domain and host inference logic to utilize explicit domain admin findings,
    ensuring correct credit even when DA accounts are built-in or not present in
    credential objectives
  • JSONL synthesis to emit a distinct domain_admin signal and evidence for each
    compromised domain
  • Scoreboard verification to distinguish between DA credential, domain admin
    signal, and golden ticket paths, improving reason and evidence reporting
  • Filtering of synthetic findings (techniques and domain_admin) from
    unmatched findings to reduce noise in status reports
  • Updated and expanded comments for clarity around new inference paths and
    handling of Ares metadata

Removed:

  • Outdated test cases and comments that assumed krbtgt extraction was the sole
    signal for domain compromise

@l50
feat: infer domain ownership from has_domain_admin in ares domain_com…
c1ef9cd 
…promise

**Added:**

- Infer domain and DC host ownership directly from has_domain_admin signals in
  ares domain_compromise entries, even without krbtgt evidence
- Include admin_users field in aresDomainCompromise struct and synthesize
  evidence in findings for improved attribution
- New function domainsFromDomainAdminFindings to extract owned domains from
  domain_admin signals in findings
- New function inferDCHostsFromDomainAdmin to infer DC host ownership via
  domain_admin signals
- New function domainAdminEvidence to format admin user evidence for findings
- Tests to verify domain and host inference from has_domain_admin with and
  without golden_ticket

**Changed:**

- Update JSON query and aresDomainCompromise struct to include admin_users
- Synthesize new findings for domain_admin state in
  writeDomainCompromiseEntries, producing explicit domain_admin:<domain> targets
- Update domain and host inference logic in verify.go to account for new
  domain_admin findings, including markHostInferred and markDomainInferred to
  use new evidence and reason fields
- Adjust test coverage to validate new domain ownership inference paths and
  ensure uncompromised domains do not produce false positives

**Removed:**

- Legacy comments and test references to krbtgt-only inference paths, clarifying
  that domain_admin state is now authoritative for domain ownership signals
@l50 l50 merged commit 76e32d1 into main May 15, 2026
9 checks passed
@l50 l50 deleted the fix/scoreboard branch May 15, 2026 22:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l50